SMEs and responsible data processing

Filipinos have long been known to be prolific users of social media, even before work-from-home arrangements became popular as a result of this ongoing pandemic. But when a lot of employees were laid off from work, because of this public health crisis, the number of people who turned to social media applications and platforms in order to seek out work and other income-earning opportunities increased exponentially.

Many put up online stores and other so-called small to medium enterprises (SMEs), including those who previously had physical shops that had to be closed down due to economic hardships. Their decision is not without sound basis. According to at least one report, around 37% of the Filipinos tried new digital services during the pandemic leading to a tremendous growth in the Philippine e-commerce landscape, particularly among small business enterprises.1 The reason? Consumers have been forced by COVID-19 to do most of their transactions online.  A convenience deemed necessary to adjust to these challenging times.

Of course, with online transactions come all the data collection and use necessary to facilitate such processes. Consumers who use a social media or online platform are typically asked to submit personal data in order for entities to process their transactions, whether it be for a particular service or product. Their names, email addresses, contact numbers, delivery addresses, and modes of payment comprise the basic information they are usually required to provide.

Soon enough, all sorts of issues surfaced in relation to these data processing operations. Sometimes, sellers would collect information from buyers, even if they seem to have no relevance to their business transaction. For instance, they sometimes seek out a person’s gender, salary range, or social media accounts. There are also those who encourage or at least tolerate customers who disclose their personal data (e.g., home addresses or phone numbers) in public selling posts. Others repurpose the collected data and use them for marketing purposes, even without proper authorization. Together, these practices expose customers to spam or unsolicited marketing communications, as well as the risks posed by scams, identity theft, and other types of fraud.

In most instances, the entities behind these practices are not inherently bad actors. Many of them are small-scale businesses, usually unfamiliar with online safety concerns and are just coping with the present circumstances. They are not well informed about data privacy, the laws and regulations that require it, and the risks they are supposed to protect people from. This is unfortunate since privacy risks do not only threaten to compromise consumer data; they also affect businesses’ reputation or goodwill. For this reason, online merchants should make an effort to know the privacy rights of their customers, as well as their own responsibilities when it comes to handling people’s data.

The following are some simple steps SMEs can take to heart to make sure they can keep doing business online without violating data protection laws and regulations:

• Before collecting data, know why you are collecting it in the first place. In most cases, you should only collect those information relevant to a sales transaction.  For contact purposes, a phone number and home address would usually suffice. Do not go overboard and ask for the customer’s data like age, birthdate, or social media account without any clear and lawful use for them.
• Adopt a privacy notice. In your website or social media account, put up your privacy notice.  Make sure to put there what data you are collecting, what are you going to do with them, and if you are going to share them with third parties.
• Obtain consent and indicate data processing for marketing purposes. Avoid repurposing collected data for marketing purposes. In most cases, getting the customer’s consent first is the ideal way to go. In some instances, making the customer aware that his or her personal data will be used for marketing may be enough.
• Dispose of unnecessary data.  Dispose of any data collected in relation to a transaction if there is no further lawful use for it. This is ideal not to comply with data privacy rules, but also to avoid additional administrative costs the safe storage of data will surely entail.
• Contribute to data privacy awareness. Do your part in helping customers become aware of the value of their personal data and their rights in relation to their data. 

SMEs rely a lot on their customers’ trust in terms of business resiliency. Often, it is regular or repeat customers who hold the key to their continued success. To establish consumer trust, they need to be responsible in their data processing activities. Following these simple steps can go a long way towards that goal. When SMEs are able to show that they abide by data protection laws, they can prove that they are not just out there to seek profit but also to take care of their customers’ welfare. That spells a world of difference.